AZ-104 - Microsoft Azure Administrator Cheat Sheet

This sheet covers Exam AZ-104, the single exam behind the Microsoft Certified: Azure Administrator Associate credential, mapped to the official skills measured as of April 17, 2026. AZ-104 validates that you can implement, manage, and monitor an organization's Azure environment across identity and governance, storage, compute, virtual networking, and monitoring and backup. Microsoft grades it as a hands-on role exam, so most questions are scenario based: you pick the action an administrator takes in the portal, Azure CLI, or PowerShell, not just a definition. The fastest way to move the needle is to learn which tool or feature solves each scenario and why Microsoft prefers it rather than memorizing trivia, because the exam rewards the right default action under realistic constraints.

What This Cheat Sheet Covers

This topic spans 32 focused tables and 289 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Manage Microsoft Entra Users and GroupsTable 2: Manage Azure RBAC and Role AssignmentsTable 3: Governance Hierarchy: Management Groups, Subscriptions, and Resource GroupsTable 4: Implement and Manage Azure PolicyTable 5: Resource Locks and TagsTable 6: Manage Costs with Budgets, Alerts, and AdvisorTable 7: Storage Account Keys, SAS Tokens, and Stored Access PoliciesTable 8: Storage Firewalls and Identity-Based Access for Azure FilesTable 9: Create Storage Accounts: Redundancy and ReplicationTable 10: Storage Encryption and Data Movement ToolsTable 11: Azure Blob Storage: Containers, Tiers, Lifecycle, and VersioningTable 12: Azure Files SharesTable 13: Storage Data Protection: Soft Delete and SnapshotsTable 14: Azure Resource Manager Templates and BicepTable 15: Create and Configure Virtual MachinesTable 16: VM Availability Zones, Availability Sets, and Scale SetsTable 17: Azure Container Registry and Container InstancesTable 18: Azure Container Apps and Container ScalingTable 19: App Service Plans and ScalingTable 20: App Service Configuration: TLS, Custom Domains, and NetworkingTable 21: App Service Deployment Slots and BackupTable 22: Virtual Networks, Subnets, and PeeringTable 23: Public IP Addresses, User-Defined Routes, and Connectivity TroubleshootingTable 24: Network Security Groups and Application Security GroupsTable 25: Azure Bastion, Service Endpoints, and Private EndpointsTable 26: Azure DNSTable 27: Azure Load BalancerTable 28: Azure Monitor Metrics, Logs, and InsightsTable 29: Azure Monitor Alert Rules, Action Groups, and Alert Processing RulesTable 30: Network Watcher and Connection MonitorTable 31: Azure Backup: Vaults, Policies, and RestoreTable 32: Azure Site Recovery and Regional Failover

Table 1: Manage Microsoft Entra Users and Groups

AZ-104 area "Manage Azure identities and governance" (20 to 25%), task "Manage Microsoft Entra users and groups": create and manage users, groups, group membership, licenses, external users, and self-service password reset.

Concept	Example	Description
Member vs Guest user	Internal employee → UserType `Member` Invited partner → UserType `Guest`	`UserType` records the user's relationship to the tenant, not how they sign in. • Member = internal employee with full default access • Guest = external collaborator with restricted default permissions
Security group	Grant a team access to a SharePoint site or app	Used to grant access to resources and apps. Can contain users OR devices. Supports dynamic membership. Not to be confused with a Microsoft 365 group, which adds collaboration services.
Microsoft 365 group	New Team → backed by a Microsoft 365 group	Collaboration group giving members a shared mailbox, calendar, SharePoint, and Planner; Teams uses it for membership. Contains only users, never devices.
Assigned membership	Admin manually adds or removes each member	Membership is set by hand. Default for new groups. Use when membership doesn't follow a clean attribute rule, or for role-assignable groups.
Dynamic membership	`user.department -eq "Sales"` auto-fills the group	Membership is driven by an attribute rule, evaluated automatically. You can't manually add or remove a member. Requires a Microsoft Entra ID P1 license per member user.
Dynamic device group	`device.deviceOSType -eq "Windows"`	Only security groups can have device rules; Microsoft 365 groups can't. A single rule targets users or devices, never both, and a device rule can't reference the owner's user attributes.
Usage location	Set user `Usage location` = `US` before assigning a license	A two-letter country property that must be set before a license can be assigned, since some services aren't sold in all regions. Group licensing never overwrites an existing value.
Group-based licensing	Assign Microsoft 365 E5 to a group → all members inherit it	Assign a license once to a security group and every member inherits it. Requires P1. Nested groups aren't supported (only first-level members get the license).
Inherited vs direct license	Can't remove a group-inherited license on the user blade	A license inherited from a group can only be changed on the group, not the user. Direct assignments coexist and can be removed without touching inherited ones.

Table 1: Manage Microsoft Entra Users and Groups

Concept	Example	Description
Member vs Guest user	Internal employee → UserType `Member` Invited partner → UserType `Guest`	`UserType` records the user's relationship to the tenant, not how they sign in. • Member = internal employee with full default access • Guest = external collaborator with restricted default permissions
Security group	Grant a team access to a SharePoint site or app	Used to grant access to resources and apps. Can contain users OR devices. Supports dynamic membership. Not to be confused with a Microsoft 365 group, which adds collaboration services.
Microsoft 365 group	New Team → backed by a Microsoft 365 group	Collaboration group giving members a shared mailbox, calendar, SharePoint, and Planner; Teams uses it for membership. Contains only users, never devices.
Assigned membership	Admin manually adds or removes each member	Membership is set by hand. Default for new groups. Use when membership doesn't follow a clean attribute rule, or for role-assignable groups.
Dynamic membership	`user.department -eq "Sales"` auto-fills the group	Membership is driven by an attribute rule, evaluated automatically. You can't manually add or remove a member. Requires a Microsoft Entra ID P1 license per member user.
Dynamic device group	`device.deviceOSType -eq "Windows"`	Only security groups can have device rules; Microsoft 365 groups can't. A single rule targets users or devices, never both, and a device rule can't reference the owner's user attributes.
Usage location	Set user `Usage location` = `US` before assigning a license	A two-letter country property that must be set before a license can be assigned, since some services aren't sold in all regions. Group licensing never overwrites an existing value.
Group-based licensing	Assign Microsoft 365 E5 to a group → all members inherit it	Assign a license once to a security group and every member inherits it. Requires P1. Nested groups aren't supported (only first-level members get the license).
Inherited vs direct license	Can't remove a group-inherited license on the user blade	A license inherited from a group can only be changed on the group, not the user. Direct assignments coexist and can be removed without touching inherited ones.